8be62f5445c27ddf6f28c68f524377fa1fd7801bca0dcea71bb7e5ed46336a94

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Size

216KB
MD5

09f7d941f77ab2ab067eab1fc0e08989
SHA1

39e8a2274029eac1867271872d1bfaa16eaf473c
SHA256

8be62f5445c27ddf6f28c68f524377fa1fd7801bca0dcea71bb7e5ed46336a94
SHA512

9740214327092df31da129d872a2c8945e534360f70c48d22d4feb359a0408d5e5c68700a10f524b2a546dfd57da151fbcec041073ce393a51d68bfeaa69a48d
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG/lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012247-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003100000001396e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003200000001396e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000001396e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000139ea-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001396e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000139ea-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001396e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000140fb-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07FAD8C8-E49D-4fbc-9185-E66053290B54}	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0097032F-85D5-4f1c-96D0-705FA8B657A9}	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}\stubpath = "C:\\Windows\\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe"	{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC08185-B467-4539-AE8A-21F4AD3D3637}	{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}\stubpath = "C:\\Windows\\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe"	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}\stubpath = "C:\\Windows\\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe"	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC08185-B467-4539-AE8A-21F4AD3D3637}\stubpath = "C:\\Windows\\{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe"	{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}	{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}\stubpath = "C:\\Windows\\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}.exe"	{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0097032F-85D5-4f1c-96D0-705FA8B657A9}\stubpath = "C:\\Windows\\{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe"	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29886529-629E-44b1-9C28-B4F7ACCC8239}	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}\stubpath = "C:\\Windows\\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe"	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}\stubpath = "C:\\Windows\\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe"	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07FAD8C8-E49D-4fbc-9185-E66053290B54}\stubpath = "C:\\Windows\\{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe"	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C121238-1B90-4aef-8331-9CE8A1710E81}\stubpath = "C:\\Windows\\{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe"	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C121238-1B90-4aef-8331-9CE8A1710E81}	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29886529-629E-44b1-9C28-B4F7ACCC8239}\stubpath = "C:\\Windows\\{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe"	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}	{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe
2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
2172	{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe
2304	{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
2144	{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe
2480	{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
File created	C:\Windows\{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
File created	C:\Windows\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}.exe	{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe
File created	C:\Windows\{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
File created	C:\Windows\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe	{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe
File created	C:\Windows\{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe	{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
File created	C:\Windows\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
File created	C:\Windows\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
File created	C:\Windows\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
File created	C:\Windows\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
File created	C:\Windows\{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
Token: SeIncBasePriorityPrivilege	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
Token: SeIncBasePriorityPrivilege	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
Token: SeIncBasePriorityPrivilege	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
Token: SeIncBasePriorityPrivilege	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe
Token: SeIncBasePriorityPrivilege	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
Token: SeIncBasePriorityPrivilege	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
Token: SeIncBasePriorityPrivilege	2172	{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe
Token: SeIncBasePriorityPrivilege	2304	{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
Token: SeIncBasePriorityPrivilege	2144	{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2664	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	28
PID 2912 wrote to memory of 2664	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	28
PID 2912 wrote to memory of 2664	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	28
PID 2912 wrote to memory of 2664	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	28
PID 2912 wrote to memory of 2768	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	29
PID 2912 wrote to memory of 2768	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	29
PID 2912 wrote to memory of 2768	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	29
PID 2912 wrote to memory of 2768	2912	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	29
PID 2664 wrote to memory of 2904	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	32
PID 2664 wrote to memory of 2904	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	32
PID 2664 wrote to memory of 2904	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	32
PID 2664 wrote to memory of 2904	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	32
PID 2664 wrote to memory of 2572	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	33
PID 2664 wrote to memory of 2572	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	33
PID 2664 wrote to memory of 2572	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	33
PID 2664 wrote to memory of 2572	2664	{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe	33
PID 2904 wrote to memory of 3008	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	34
PID 2904 wrote to memory of 3008	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	34
PID 2904 wrote to memory of 3008	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	34
PID 2904 wrote to memory of 3008	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	34
PID 2904 wrote to memory of 2324	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	35
PID 2904 wrote to memory of 2324	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	35
PID 2904 wrote to memory of 2324	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	35
PID 2904 wrote to memory of 2324	2904	{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe	35
PID 3008 wrote to memory of 960	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	36
PID 3008 wrote to memory of 960	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	36
PID 3008 wrote to memory of 960	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	36
PID 3008 wrote to memory of 960	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	36
PID 3008 wrote to memory of 1932	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	37
PID 3008 wrote to memory of 1932	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	37
PID 3008 wrote to memory of 1932	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	37
PID 3008 wrote to memory of 1932	3008	{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe	37
PID 960 wrote to memory of 900	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	38
PID 960 wrote to memory of 900	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	38
PID 960 wrote to memory of 900	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	38
PID 960 wrote to memory of 900	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	38
PID 960 wrote to memory of 2876	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	39
PID 960 wrote to memory of 2876	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	39
PID 960 wrote to memory of 2876	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	39
PID 960 wrote to memory of 2876	960	{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe	39
PID 900 wrote to memory of 2820	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	40
PID 900 wrote to memory of 2820	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	40
PID 900 wrote to memory of 2820	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	40
PID 900 wrote to memory of 2820	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	40
PID 900 wrote to memory of 2828	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	41
PID 900 wrote to memory of 2828	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	41
PID 900 wrote to memory of 2828	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	41
PID 900 wrote to memory of 2828	900	{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe	41
PID 2820 wrote to memory of 764	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	42
PID 2820 wrote to memory of 764	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	42
PID 2820 wrote to memory of 764	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	42
PID 2820 wrote to memory of 764	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	42
PID 2820 wrote to memory of 3016	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	43
PID 2820 wrote to memory of 3016	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	43
PID 2820 wrote to memory of 3016	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	43
PID 2820 wrote to memory of 3016	2820	{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe	43
PID 764 wrote to memory of 2172	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	44
PID 764 wrote to memory of 2172	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	44
PID 764 wrote to memory of 2172	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	44
PID 764 wrote to memory of 2172	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	44
PID 764 wrote to memory of 1092	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	45
PID 764 wrote to memory of 1092	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	45
PID 764 wrote to memory of 1092	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	45
PID 764 wrote to memory of 1092	764	{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
  C:\Windows\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
    C:\Windows\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
      C:\Windows\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
        
        C:\Windows\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe
        
        C:\Windows\{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
        
        C:\Windows\{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
        
        C:\Windows\{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe
        
        C:\Windows\{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29886~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
        
        C:\Windows\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe
        
        C:\Windows\{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}.exe
        
        C:\Windows\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC08~1.EXE > nul
        12⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D2D~1.EXE > nul
        11⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00970~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C121~1.EXE > nul
        8⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07FAD~1.EXE > nul
        7⤵
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E34D~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA48~1.EXE > nul
        5⤵
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E21~1.EXE > nul
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3E8EF~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0097032F-85D5-4f1c-96D0-705FA8B657A9}.exe

Filesize
216KB

MD5
b2d300af22636f164ca77a1f97fec5ed

SHA1
f8a1a3ae214cc1b763c099ae67379a5d61043e8f

SHA256
2c6b71e34daaa445bf07ab5974abdccc8304ebe58ce4612b15102775d1b96a61

SHA512
8ee34b00a286cb36a3d530f1c9c334dc0f3c9158b327c9bcc87507609635b5f08d47af63395ba74b37afc01574b5e17dc6b1a6a313c1f12b432aa1e0c30071f1

Download Submit
C:\Windows\{06D0B4BB-BEC1-458a-B4F9-DB34A365A55D}.exe

Filesize
216KB

MD5
b8ca01732e9df5224b4af96eaf357e40

SHA1
23934839572c3ae46897476c218982daa8e62d3a

SHA256
e586e3786d513054b87b9a81469f2dd2635156318bce801d6ff838bc23390cff

SHA512
471c223f8a2314c050ac789f0c9ba64f9626e42b5e58230062dba3384c52c674c048c36bee58ab8ac62c1bcb694ad842299b8cd16ac3fad95bd63109d2953931

Download Submit
C:\Windows\{07FAD8C8-E49D-4fbc-9185-E66053290B54}.exe

Filesize
216KB

MD5
69d0acf2f4a3228f9feafb4d1315c3c0

SHA1
e52b1d89ca228830a5f37e517344c73e2a70ed16

SHA256
575c4f030585989c13760d24ba81a5e70b5ec797342657d29c25472a028e3683

SHA512
81054512e76eb514466842206d067172bff6500c6ef9fa4bd3cb660f946f8757ef89a2df9eee61116e6515c0f21b7f1a87f6c4860c679cfb239b18157b4b0148

Download Submit
C:\Windows\{29886529-629E-44b1-9C28-B4F7ACCC8239}.exe

Filesize
216KB

MD5
e3bb76085b978b1e9d98c1fa276527b5

SHA1
9a86c78df4992744957b0893abf372f1845e5a61

SHA256
857387d12f159aef012a3c753b8b697d36df71fbd4b57a13ce0b0f31d76cb057

SHA512
5d519bb8a324dc7387a26877015214b9a414544885411a4b1208fd4d0c261f589994fa3ece7c2b5a164bbad59af0b54751e8a1221f11f964923baab93f743ef2

Download Submit
C:\Windows\{3E8EF04C-821F-4fb3-BC5E-8162D6D16A36}.exe

Filesize
216KB

MD5
53025d34b90f3b075c7dcbcf4fcc2212

SHA1
33bb39b0866d540ec546843faf91dfa523e4c2dd

SHA256
7680fe1a8527a1844acf6732c903f0ee90e9a44cfa6c18922f20200dc63e9298

SHA512
62c039354011cd21a7270f70f1b1ee0a164d4e4ea01b72542c0cf1314affe45f90348a7b98275a847deeaf6c361dc0ba90030ab8b9f4f5df4ac396daae4ffc1c

Download Submit
C:\Windows\{7C121238-1B90-4aef-8331-9CE8A1710E81}.exe

Filesize
216KB

MD5
e1d4d5976fe62cc09c93a451c8018bfd

SHA1
a5e186191873b7857dc5bb3b63594aa5c6131911

SHA256
c0226674d2fb0b671e496a7d59ef3ee3af3be5640c22ebad4f516572af24466f

SHA512
824d8ad52d9e5391f9e63fb35e096932507420f355c929d965ef9b1f206155e27add73ce971687f183cce1ba5c1b5f4df425b3391dfad0d3ac9033c2cad4c37a

Download Submit
C:\Windows\{7E34DC99-9A4F-490f-BFF6-48FBA1511EB0}.exe

Filesize
216KB

MD5
2d6bc2693ec05c70688b504c6957c886

SHA1
82f3c5be74cac8438614e680fe54787f60713543

SHA256
c962ce749f793658df6a6113d277f30031039463682c03bcf8ba929e34890b06

SHA512
0e52ba0b4e855008c139680b96509d111d26c0492f8aec364db5d3497d1e21c2130c1fd157615c2b3e3aaa6807f2f099f6501930924d332291936c3242b5a577

Download Submit
C:\Windows\{A9E21284-322C-40b6-B3FC-FF14B5DA7A7B}.exe

Filesize
216KB

MD5
a6ae0d18320c46928d017cf5021f2dfc

SHA1
14a1435760c9b335bc0d97b069147e80e56e8151

SHA256
950bdccdc04c343a4ee9c8f089d497884c79a680319a22d6e6171abe190e87bd

SHA512
e3afde5f4323189b56bcd16b688971d4a11216678c912732cbf2e2b9aa1c8a2a5e93c5072efab5ed21f442e9b2b2c20cb6666005ca8dea8f5a4e7ff48d2832cb

Download Submit
C:\Windows\{B2D2D4E7-2AE7-477a-B3B1-B9F7E34E00D8}.exe

Filesize
216KB

MD5
4c06baf76596b8d19c22b526bd2d753a

SHA1
d0eb05ce77f8b39823f5c3776dd74b7436c892d2

SHA256
1356d1ee5e7654aa1be66d695b434cba8458a791685bfb86ac8e78981dd5240d

SHA512
6df7472c9cc42b3a8bbdad7fa3d41c25e1c8262505e41d98833f585106371d796b619558dd8a102fc4979ce98933d42e34ead5e171f33f2ef9774784ffa9e300

Download Submit
C:\Windows\{CBC08185-B467-4539-AE8A-21F4AD3D3637}.exe

Filesize
216KB

MD5
144328f6c3b43b5415ce2470c2b49446

SHA1
82a9f28897b1c79a8c929c6e0b7602bec3665b19

SHA256
c1049dfe7e7d851944aeb0dc5b2a0204d53dcaf0bc08c866c2b7c5a87c8cafd3

SHA512
df6e34dd7523e31d454798d27cc2bbcd7e2888261f7fbe955ca3cd28a8624c4ba819e95304fe6bbe3fb50a6bcc8dde39e59b8bc09e272e34785f36a20641ddc2

Download Submit
C:\Windows\{FDA48D84-D85C-41d7-B56A-1DB7F3901B11}.exe

Filesize
216KB

MD5
d478ac74cd8197d230327945aa2ec291

SHA1
075223073c09059af2621ea59e76a3480db0cee4

SHA256
7d928935f90cb3c3cd8a4a31388d6b45342495d13d04928886fb7245d08c8f52

SHA512
7f3194c6e56886b53537df9a853d62002582a6781aa5d961c7c0a43e0cc04ff0ea393fd6b308405d678147ed63a590313e1e96758e1f7a27e1c59ce9b37b6964

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads